#Added– SARIF File Generation, Pro users can now generate and download SARIF files, enabling seamless integration with other SAST providers and security tools.
#Added– Implemented XGBoost feature caching for Missing Access Control detection, reducing detector runtime by ~80%
#Added– Added loading indicators throughout the platform to ensure data availability before user actions
#Added– Deployed robust frontend Sentry integration for improved bug identification and tracking
#Changed– Rolled out enhanced CI/CD guarantees on our core detectors with rigorous typechecking and code quality standards (mypy + ruff) to maintain long-term velocity and stability
#Changed– Reduced frontend bundle size dramatically with improved chunking, resulting in faster load times and enhanced performance
#Changed– Optimized Docker layer caching and test parallelization, reducing average deployment times for detectors from 15 minutes to 8 minutes, enabling faster value delivery and shorter incident response times
#Changed– Improved memory management, reducing detector memory usage by ~40%
#Changed– Migrated detectors from requirements.txt to pyproject.toml, enabling cleaner separation of dev dependencies and reducing deployed bundle size and attack surface
#Removed– Fully removed personal teams and completed comprehensive code cleanup, completely eliminating several race-condition-related signup bugs
#Security– DoS Unbounded Loop Detection Large unbounded loops can lead to total protocol failure through denial~of~service attacks. We’ve reduced false positives by properly handling hardcoded loop sizes below reasonable bounds, especially for loops making external contract calls.
#Security– Zero Address Transfer Protection Most contracts should revert on transfers to the zero address to protect protocol and user funds. Our detectors now correctly avoid false positives on accounts that can never be the zero address (e.g., msg.sender) with full variable resolution.
#Security– Missing Reentrancy Protection Reentrancy, the classic smart contract vulnerability where external contract calls trigger callbacks into payable functions, is now detected with significantly hardened capabilities. We’ve improved both false positive reduction (by fully exploring the call graph and respecting callsite
Versions
#added– **Multi-file scan support**: Cross-contract flattening and deduplication, enabling detection of cross-contract and cross-library bugs
#added– **Dependency separation**: User-defined vulnerabilities are now cleanly separated from dependency-sourced findings to simplify triage and prioritization
#added– **Solo dev and hackathon support**: System now correctly handles mainline, non-org GitHub repositories
#added– **On-Chain Deployment Scanning**: Users can now register deployed contract addresses across 30+ EVM chains and trigger scans directly against deployed bytecode
#added– **Robust Solana fuzzing harness**: Outperforms publicly available fuzzers by ~5× in operations per second and memory efficiency
#changed– **Dramatic performance improvements**: Deep algorithmic and memory optimization — runtime on large repositories (e.g. Balancer) is now sub-5 minutes (down from 12+ hours) without sacrificing detection quality
#changed– **Systematic false positive and false negative reduction** across multiple detectors:
#changed– Now recognizes pre-Solidity 0.6 syntax, hex literal checks, and parenthesized ternary expressions
#changed– Division-before-multiplication now correctly handles small constant divisors, avoiding false positives on intentional flooring patterns
#changed– 90%+ improvement in reentrancy detection against the SmartBugs curated benchmark
#changed– **Cross-contract taint and callgraph analysis** for transitive internal calls
#changed– **Restructured issue summary generation** for better consistency, reduced drift, and improved per-instance summarization
#removed– *(No features were removed in this release)*
#security– **Cross-contract taint and callgraph analysis** for transitive internal calls (significantly improves detection of complex security issues spanning multiple contracts)
#security– Enhanced **Unbounded array DoS detector** – now better identifies gas-based denial-of-service vectors that could brick time-sensitive operations
#security– Improved **reentrancy detection** by 90%+ on the SmartBugs benchmark through better cross-function and legacy syntax support
#security– **Dependency separation** – clear distinction between user-defined and dependency vulnerabilities for more accurate risk prioritization
#security– **Hardened the scanner itself**: We closed a remote-code-execution, plus a report path-traversal write and an unauthenticated request that could crash the API. The platform now fails safe and self-heals after a crash.
#security– **16 new detector classes**: cover vulnerability shapes the tool previously missed entirely, including DEX-spot-price-used-as-oracle (the canonical flash-loan manipulation root cause), transaction-ordering/front-running, selfdestruct, and uninitialized storage pointers.
#security– **Measurable accuracy gain on the public SmartBugs benchmark**: more real vulnerabilities caught (308 markers, up from 277) while false positives fell (1,317 -> 1,286). Both pinned as CI floors so accuracy cannot regress.
#security– **Deeper cross-contract analysis**: inter-procedural tracking now reports a vulnerability at the entry point an attacker actually calls, and reachability analysis suppresses findings on code nothing can reach.
#security– **Correct Solidity inheritance modelling (C3 linearization)**: closed a class of cross-contract misses.
#security– **Full support for modern Solidity syntax that previously slipped past detection (e.g. call{value:…} option calls)**: plus a batch of targeted false-positive reductions.
#changed– **Reliable under concurrent load on a persistent server**: Scans are now isolated so one can no longer corrupt another’s results or leak memory.
#changed– **Faster, cleaner results**: Database-level pagination and indexing keep large scan histories responsive, and finding de-duplication yields one precise result per bug instead of generic-plus-specific duplicates.
#changed– **Better client experience**: Faster page loads, mobile layouts, and graceful handling of errors and interrupted logins.
#changed– **Every accepted limitation is now a CI tripwire**: known FNs/FPs have been explicitly categorized into xfail test tripwires.
#changed– **Strict typing and linting are hard CI gates**: with untyped escapes banned from production code.
#added– **Dependency separation completed end-to-end**: Findings in third-party/vendor code are cleanly split from a project’s own code across the engine, API, and UI.
#added– **An automated agentic review suite**: enforces our engineering standards on every change.